During the launch of the Apple iPhone X one of the major 'triumphs' of the device was highlighted as the convenience and security offered by Face ID. As mentioned at the time, Apple assured those interested that Face ID can't be fooled by photos or masks and is so secure that it is enabled to authorise Apple Pay. A few days ago a Vietnamese security firm, Bkav, set up a proof of concept experiment to prove Apple wrong - and it succeeded in fooling Face ID with a mask.
Bkav isn't new to this kind of security testing. In 2008 it claims it was the first to show "that face recognition was not an effective security measure for laptops". This expertise is part of the reason Bkav's mask fooled the iPhone X face scanner while Wired could not. Another reason for Bkav's success is that it "understands how the AI of Face ID works and how to bypass it". Bkav completed its bypassing of Face ID within a week of the delivery of its iPhone X.
Above and below you can see the rather unsettling looking mask constructed by researchers at Bkav. "The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID," explains Mr. Ngo Tuan Anh, Bkav's Vice President of Cyber Security.
In a FAQ the security firm claims that a regular 3D printer was used for most of the face construction but the nose was made by hand by an artist using silicone, as were some skin sections. Other parts of the mask are just 2D images and a makeup artist has done a bit of work too. Overall the cost of making such a mask was quoted to be $150 - that is likely the materials cost to Bkav, I'm sure the cost of the service would be much more.
Though the bypass of Apple's Face ID was said to be 'easy' for Bkav, they think such hacks will only be leveraged against billionaires, leaders of major corporations, nation leaders and so on. However it's also important for security and policing organisations to know about the limits of Face ID.
Apple iPhone X presentation: Phil Schiller talked about Face ID's resistance to mask attacks.
During the iPhone launch Apple didn't claim that Face ID system was infallible but that it is a million to one shot of someone sharing enough of the same facial features to unlock your phone. It added that by this metric it is better than the claimed 50,000 to one of the Touch ID system. However, Bkav concludes that currently "for biometric security, fingerprint is the best".